A first look at Sophos Mobile Control

People are accessing the internet (and their own corporate services) in changing ways, increasingly through a single mobile device. Focus is increasingly placed on smartphones to stay up-to-date socially and professionally, and the blurring of these roles poses new security challenges for all businesses.

The core issue for many businesses remains control; how does the organisation ensure that any phone accessing corporate information meets the required baseline security standard before it connects to the network?

Sophos has released its own solution for this — Sophos Mobile Control (SMC). SMC uses functionality already present in many mainstream devices to help securely and remotely lock down the smart phone. Versions for Apple iOS, Google Android, and Windows Mobile handsets are supported by the product.

SMC is intended to provide an IT administrator with the simple means to enforce corporate security policy on both personal and company issued mobiles. It means a blanket ban on personal devices is unnecessary.

The solution can be installed to new and existing infrastructure and utilises common technologies including Microsoft Windows Server, Microsoft SQL Server, and Java based components. LDAP integration is also an option to help decrease the burden of setting up new users.

The majority of administrators will probably be able to install this product with little effort or learning required. SMC is easily connected to a Sophos-provided SMS messaging hub for device set-up and control tasks, often at no additional impact on the customer (based on usage projections). Policies are set through the SMC console.

It is worth noting that Sophos can also deploy the SMC as a secure, segregated multi-tenant environment that may, in particular, be suited to the needs of service providers.

So, what does it do and how does it work?

SMC allows administrators to setup device policy controls through an easy-to-use web-based management portal, then push them over-the-air to any handset within its inventory. Policies can be fine-grained and tied back to device profiles helping to cater for the individual needs of the most demanding organisations.

Typically, a new device can be fully provisioned and added to the corporate inventory in a matter of minutes. The administrator can either send an SMS message to the end user that prompts a remote software installation, or they can install the software locally without user intervention (depending on preferences, location, and general circumstances).

It is even possible to schedule a profile transfer to begin at a specified future time. Once added to the SMC inventory, the administrator can view the device information (great for audit and asset management purposes), or use one of myriad reporting options to get details about the applications installed on a particular handset. It can also tracks and provide information about the data traffic from individual devices, including Wi-Fi. 3G, and roaming usage.

When we took SMC for a test drive, it was hard not to be impressed by its intuitive, cleanly designed interface. Delving a little deeper, SMC provides a powerful set of features for device management and security.

Other impressive features include its passcode policy options which allow complexity and length to be set and enforced at administrator level; the ability to silently stop access to handset hardware components such as an onboard camera or Bluetooth connectivity; and its ability to revoke screen capture and game capabilities. It can also detect and positively react to tampering (and even identify rooted Android devices) with options to prevent corporate email access from the handset.

Another great feature with obvious business benefits is its ability to enable an administrator to remotely provision consistent VPN, email, and Wi-Fi accounts across the mobile device inventory.

The SMC also has the capability to manage and deploy applications remotely, including pre-configuring and uninstalling applications over-the-air. In fact, the feature set suggests that Sophos is directly tackling compliance, regulation, and productivity, we’d say with a degree of success.

The solution offers an optional ‘self service’ portal, enabling end users to remotely wipe or lock their device in seconds if it was lost or stolen. The administrator can also perform these tasks from the SMC console.

So, what’s lacking?

The most obvious omission is an inbuilt antivirus deployment capability, especially considering Sophos’ widely acknowledged pedigree in that area. We understand that antivirus may be added in the future.

We are also surprised by the absence of BlackBerry and Windows Phone 7 support, although we suspect these will also be added shortly. Capability for the Android tablet might be another contender needing consideration.

How does it stack up?

In summary, very well indeed. It does exactly what it says on the tin, providing an easy-to-install and simple-to-use system which is feature-rich and flexible. It leverages Sophos’ respected security talents really well.

A final point to remind yourself about is that the SMC serves both personal- and company-owned devices equally well. If you’re considering a mobile device management system, we’d recommend you look at SMC.